Firewall

A Firewall is a device which combines hardware and software to secure access to and from a network. A firewall allows security administrators a great deal of flexibility and control to allow/disallow certain ports, protocols, and access to certain machines. Typical configurations for a corporate network include a "DMZ" area (de-militarized zone) which is the only section of the network with direct access to and from the Internet.

The typical corporate environment has three zones: External (untrusted), DMZ (untrusted internal), and Internal (trusted). A DMZ is used as an “in-between” zone between the internal network and the external network (the Internet). It is designed to compartmentalize security access and reduce the risk of malicious users gaining access to an organization’s resources. We refer to this zone as untrusted as it has connections between the servers within this zone and the external network (the Internet).

A firewall can operate in several layers of the OSI model. There are four categories of firewalls:

• Packet filtering firewall
• Circuit level firewall
• Application level firewall
• Stateful inspection firewall
  

A packet filtering firewall is a router or computer (with special software) which screens incoming and outgoing packets. It reads information contained in each packet's TCP and IP headers then accepts or denies the packets based on the rules it has configured. Typically, it looks at rules based on the source address, the destination address, the application, the protocol, the source port number, or the destination port number. A packet filtering firewall operates only in the network layer of the OSI model.

A circuit level firewall monitors TCP handshaking between packets from trusted clients or servers to untrusted hosts to determine if the session is legitimate. A circuit level gateway checks the handshaking occurring with the synchronize (SYN) and acknowledge (ACK) packets in TCP. Since these packets occur at certain times and in a certain order, the circuit level gateway determines if they are operating correctly before allowing the communication. This type of firewall operates at the session layer of the OSI model.

An application level firewall operates a proxy between internal and external machines. It intercepts incoming and outgoing packets and copies and forwards the information to the destination addresses. The application level firewall acts as a proxy for the services it can proxy. For example, you can setup an application level firewall to proxy http and telnet requests - if you do not have it configured to proxy FTP requests, those would get dropped. An application level firewall checks packets up through the application layer of the OSI model.

A stateful inspection firewall combines aspects of the previously described firewalls. It operates at the network layer of OSI model, filtering all incoming and outgoing packets based on source, destination IP address, and port numbers. It also functions as a circuit level firewall by determining which packets in a session are appropriate. A stateful inspection firewall can also mimic an application level gateway in the application layer. A stateful inspection firewall is one of the most common firewalls as it combines features of the first three types.